The 2018 Gartner Magic Quadrant for Security Information and Event Management (SIEM) has recently been published, and in reading it, it seemed like a good time to reflect upon the latest trends in this well-established yet continuously evolving market. In its early days, the SIEM market was primarily driven by audit and compliance needs. But, as the threat landscape evolved and attackers became more sophisticated, SIEM solutions have had to keep up. A technology that was initially meant for compliance evolved into threat detection, and now, in many cases, it sits at the epicenter of the security operations center (SOC).
While not all SIEM providers have survived this decade of transition, the leading vendors have evolved to help security teams keep up with today’s constant barrage of threats, better defend new environments from advanced and targeted attacks, and effectively address threats despite a growing cybersecurity skills shortage. While some SIEMs did die, the old adage of “SIEM is dead” is certainly not true.
Read the 2018 Gartner Magic Quadrant for SIEM
3 Key Trends in SIEM Evolution
When I look back at the last 12 to 18 months, three key trends have had a major impact on the next phase of SIEM evolution.
First, adversaries continue to use tactics such as well-crafted spear phishing emails to exploit users, compromise credentials and use insider access to steal critical enterprise data. As these threats increasingly become signature-less, defenders need new ways to identify not just known threats, but also symptoms of unknown threats. As this need has grown, so have technologies such as machine learning and advanced historical analysis, which help detect anomalous behaviors and enable defenders to respond faster so they can stop attackers before damage is done.
Second, the adoption of new technologies, such as cloud infrastructure and the Internet of Things (IoT), has increased the attack surface and, in many cases, created new blind spots. While these new systems and environments can help create new business advantages, they can also create new risks. As a result, more than ever before, security teams are looking to SIEM solutions to gain a comprehensive, centralized view into cloud environments, on-premises environments, and network and user activity to increase their situational awareness and enable them to better manage cybersecurity risks.
Third, thanks to a growing cybersecurity skills shortage, organizations are demanding solutions that are easier to deploy, manage and maintain. Modern threat detection capabilities require an ever-growing number of data sources, and the addition of those data sources can require significant integration and tuning effort. Resource-constrained teams simply don’t have the luxury of allocating this much time or effort to managing a solution. Instead, they demand ongoing assistance to continuously improve detection and investigation processes — without needing to dedicate expensive in-house experts or buy months of professional services.
Security Teams Need a More Advanced SIEM Solution
In the past year, the leading SIEM vendors recognized the above three market trends and invested significant effort into evolving their solutions to address the challenges. Through developing open app-based ecosystems, vendors are now able to easily deliver prebuilt integrations, security use cases and reports that can be easily consumed. As a result, customers are able to address what matters most in their unique environments without introducing unnecessary complexity or requiring major system upgrades.
For example, to address more sophisticated attackers, security teams should be able to leverage prebuilt, fully integrated analytics for targeted use cases, such as detecting endpoint threats, compromised user credentials and data exfiltration over the Domain Name System (DNS). This approach can help security teams leverage their vendor’s expertise to outpace attackers — without having to become experts in each and every technology themselves.
To better address the rapid adoption of new technologies such as infrastructure-as-a-service (IaaS), security teams should be able to easily integrate their SIEM platform with cloud environments such as AWS, Azure and Google Cloud to gain centralized visibility into misconfigurations and emerging threats such as cryptocurrency mining.
Lastly, to help address the challenges associated with the cybersecurity skill shortage, organizations can look to solutions that provide built-in automation and intelligence. Unique offerings such as cognitive assistants are available to provide intelligent insights into the root cause, scope, severity and attack stage of a threat, helping security analysts punch above their cybersecurity weight class. Additional expertise can be provided with built-in guidance to help analysts address new use cases and more easily tune systems. As a result of these innovations, security teams can become more effective despite having limited resources and budgets.
Leading the Way With New SIEM Platform Innovations
As the landscape continues to evolve, cybersecurity teams can no longer rely on closed, complex solutions for threat detection and investigation. Instead, they need to be able to rely on a proven, flexible SIEM platform that offers open ecosystems packed with out-of-the-box integrations, security use cases and reports to address a variety of needs — ranging from compliance to advanced threat detection — across on-premises and cloud-based environments.
This year, we’re proud that IBM was named a Leader in the 2018 Gartner Magic Quadrant for SIEM, marking our 10th consecutive year in the “Leaders” Quadrant. But we’re even prouder that organizations continue to choose IBM QRadar day in and day out because of our demonstrated commitment to their evolving needs.
Read the 2018 Gartner Magic Quadrant for SIEM
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
VP, Product Management, IBM Security
Chris Meenan is the VP of Product Management within the IBM Security division. He has over 10 years experience in product management and been involved in dev...